how to configure ACS 5.2 to manage Junos 10.4R6.5 fwl via TACACS+

Hi All,

I have a newly installed ACS 5.2 appliance integrated with our AD and its working with cisco products, switches routers and etc. Now i would like to include Juniper firewalls as well to be authenticated via ACS 5.2 either via ssh and web access. Can someone share me how to initiated this, policy creation.

Re: how to configure ACS 5.2 to manage Junos 10.4R6.5 fwl via T

Marlon,

I have pasted in a config below that I did for our ScreenOS firewalls to work with Cisco ACS v5.2. This config may not work since yours is Junos, but it might get you closer to figuring it out. Also, if you haven't been on the Juniper J-Net to ask around there, give it a shot. (forums.juniper.net)

Note: you can also use 'read-write' but then local admin doesn't work correctly Click the [Add^] button above the Attribute field Click the [Submit] button at the bottom of the page

2. Navigate to Access Policies > Access Services > Default Device Admin > AuthorizationCreate the Juniper Authorization Policy and filter by Device IP Address. Click the [Customize] button at the bottom Right of the page Under Customize Conditions, select Device IP Address from the left window Click the [>] button to add it Click the [OK] button to close the window

Click the [Create] button at the bottom of the page to create a new rule Under General, name the new rule Juniper, and ensure it is Enabled Under Conditions, check the box next to Device IP Address Enter the ip address of the Juniper (192.168.1.100) Under Results, click the [Select] button next to the Shell Profile field Select 'Juniper' and click the [OK] button Under Results, click the [Select] button below the Command Sets (if used) field Select 'Permit All' and ensure all other boxes are UNCHECKED Click the [OK] button to close the window Click the [OK] button at the bottom of the page to close the window Check the box next to the Juniper policy, then move the policy to the top of the list Click the [Save Changes] button at the bottom of the page

Verification:

Login to the Juniper CLI and GUI using an ACS Internal User account, and attempt to change something to verify privilege level.

Re: how to configure ACS 5.2 to manage Junos 10.4R6.5 fwl via T

On my SSG, I have the following:

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

On the SSG webGUI, I go to Configuration > Admin > Administrators and there is a drop-down for "Admin Auth Server." I have "Local/CiscoACS" selected. I don't know if your firewall has the same sort of setting, but that's the best I can come up with.

Re: how to configure ACS 5.2 to manage Junos 10.4R6.5 fwl via T

Marlon,

I have pasted in a config below that I did for our ScreenOS firewalls to work with Cisco ACS v5.2. This config may not work since yours is Junos, but it might get you closer to figuring it out. Also, if you haven't been on the Juniper J-Net to ask around there, give it a shot. (forums.juniper.net)

Note: you can also use 'read-write' but then local admin doesn't work correctly Click the [Add^] button above the Attribute field Click the [Submit] button at the bottom of the page

2. Navigate to Access Policies > Access Services > Default Device Admin > AuthorizationCreate the Juniper Authorization Policy and filter by Device IP Address. Click the [Customize] button at the bottom Right of the page Under Customize Conditions, select Device IP Address from the left window Click the [>] button to add it Click the [OK] button to close the window

Click the [Create] button at the bottom of the page to create a new rule Under General, name the new rule Juniper, and ensure it is Enabled Under Conditions, check the box next to Device IP Address Enter the ip address of the Juniper (192.168.1.100) Under Results, click the [Select] button next to the Shell Profile field Select 'Juniper' and click the [OK] button Under Results, click the [Select] button below the Command Sets (if used) field Select 'Permit All' and ensure all other boxes are UNCHECKED Click the [OK] button to close the window Click the [OK] button at the bottom of the page to close the window Check the box next to the Juniper policy, then move the policy to the top of the list Click the [Save Changes] button at the bottom of the page

Verification:

Login to the Juniper CLI and GUI using an ACS Internal User account, and attempt to change something to verify privilege level.

Re: how to configure ACS 5.2 to manage Junos 10.4R6.5 fwl via T

On my SSG, I have the following:

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

On the SSG webGUI, I go to Configuration > Admin > Administrators and there is a drop-down for "Admin Auth Server." I have "Local/CiscoACS" selected. I don't know if your firewall has the same sort of setting, but that's the best I can come up with.

Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
view more

We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...
view more